[AAA-40] [SECURITY] SQLite: memory corruption leading to DoS and possible code execution CVE-2015-3414 and CVE-2015-3416

Thu, 21 Mar 2019 11:56:41 +0000

The Helium release of AAA uses SQL statements prepared using string concatenation of user-supplied variables. This theoretically exposes an SQL injection vulnerability, but testing has revealed no cases that could cross a trust boundary and be useful to an attacker. However, as a result of allowing users to directly manipulate SQL statements, AAA exposes two underlying vulnerabilities in SQLite:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3414
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3416

Another vulnerability in SQLite was also reported:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3415

But AAA does not expose this vulnerability, because it relies on injection of DDL and AAA only allows an attacker to inject DML.

To resolve these vulnerabilities, we need to either switch to using prepared statements, or upgrade SQLite to a patched version, preferably both. The Lithium release uses prepared statements and is not vulnerable.

OpenDaylight JIRA

[AAA-40] [SECURITY] SQLite: memory corruption leading to DoS and possible code execution CVE-2015-3414 and CVE-2015-3416